From: David Mehler

> I've got two questions. I'm having to redo my form. Can you tell me
> the difference if any between these two lines of code? This is for
> output filtering.
> <textarea name="description"> <?php echo htmlout("$description");
> <textarea name="description"><?php echo htmlout($description); ?>
> One has the quotes around the parameter in the function call the other
> does not. Here's the functions:
> function html($text)
> {
>       return htmlentities($text, ENT_QUOTES, 'UTF-8');
> }
> function htmlout($text)
> {
>       return html($text);
> }

The version with quotes will go through a superfluous step of parsing
the string and then doing the substitution. The other will simply do the

> My second question is I'm wanting to do input filtering to prevent
> anything malicious from coming in to my form. The eventual goal is to
> get this information in to a database. Here's an insecure name field
> i'm wanting to secure it against html tags, strange text, no symbols
> except perhaps period, dash, letters, numbers alpha numeric stuff.
> $name = $_POST['name'];
> <div>
> <label for="name">Name*:</label>
> <input type="text" name="name" id="name" size="50" value="<?php echo
> htmlout($name); ?>" /> <br />
> </div>
> In my previous form i used a variable declaration like:
> $name = trim($_POST['name']);
> but I can probably do better, as I said this is eventually going in to
> a database.

There are actually two stages to this, sanitization and validation. The
first strips out dangerous characters, tags, etc. The second is to
verify that the content is actually within the acceptable range of
answers for your system. i.e. if you are using English names, there are
no Cyrillic characters in there. In some cases there is also a third
step, which varies depending on where you are using the string. For a
database, there are usually escape functions with the DB library to
prepare it for storage. I frequently use pg_escape_string(). There are
other options for strings being set to the browser, either as html
content or URLs.

You probably should become familiar with the OWASP[1] recommendations as
early as possible. They have a variety of tried and tested functions for
this very purpose. You can use them as is, as models or as frameworks
for your own variations on the theme.

Bob McConnell

[1] <>

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to